Re: PIX 501: NAT VPN Clients to Inside?
- From: Aaron <Aaron.Smith@xxxxxxxx>
- Date: Fri, 25 Apr 2008 06:08:06 -0700 (PDT)
I have this working now, though I'm not sure why or how. :) I added
a NAT exemption rule for our entire public IP space to the 192.168.2.x
space and suddenly it started working. o_0 I added this through PDM
so I'll look closer at the actual "sh run" output to see if I can
fathom why that change made things work.
But now I have another question. I'd like to apply access
restrictions to the VPN clients so I added a deny rule on the outside
interface to block everything. But it seems that that isn't being
applied to traffic from VPN clients. If I want to block traffic from
the 192.168.2.x clients to everything on the 172.46.24.x network (and
then open up the specific items I want them to have access to) how
would I go about doing that?
By default the firewall will likely have sysopt configured and as a
result your VPN's will bypass the ACL feature check.
Secondly, you say that your NAT exemption rule is allowing all networks
back to your VPN pool. If so you may want to think about restricting
this using an ACL and NAT combo. Identify only the networks you want to
allow in No-NAT back to your clients, anything not identified will be
denied through the implicit 'deny any' at the end of the ACL.
Thirdly, I believe that you can apply access-list filters to the VPN
client tunnel as well. Look at the ASDM remote access VPN options you
should spot how to do it it's fairly intuitive.
Regards
Darren
Heh. "Intuitive" and "PIX" are two words I never use in the same
sentence. I did, however, find the HUGE GLARING check option entitled
"Bypass access check for all IPSec Traffic". Not sure how I missed it
as the only way it could have been more obvious is if it had been on
fire or something.
I'm still a little fuzzy on the NAT exemption rule. I understand what
your saying about restricting networks coming BACK to the vpn pool
addresses (192.168.2.x), but what I'm not following is that it appears
that I need to have that NAT "exemption" rule in place for the VPN
clients to be NAT'd to those network hosts. This is counter-intuitive
to me (see first sentence....:) ) as I would think that if a host was
on the list to be exempted from NAT it would be...well, exempted.
Unless Cisco uses some other wacky definition of "exempt".
.
- Follow-Ups:
- Re: PIX 501: NAT VPN Clients to Inside?
- From: Darren
- Re: PIX 501: NAT VPN Clients to Inside?
- References:
- PIX 501: NAT VPN Clients to Inside?
- From: Aaron
- Re: PIX 501: NAT VPN Clients to Inside?
- From: Aaron
- Re: PIX 501: NAT VPN Clients to Inside?
- From: Darren
- PIX 501: NAT VPN Clients to Inside?
- Prev by Date: Re: VLANs on an 8510
- Next by Date: Re: DHCP on DMZ interface
- Previous by thread: Re: PIX 501: NAT VPN Clients to Inside?
- Next by thread: Re: PIX 501: NAT VPN Clients to Inside?
- Index(es):
Relevant Pages
|
Loading
